b'  OFFICE OF INSPECTOR GENERAL\n\n                         Audit Report\nEvaluation of Information Security for the Railroad Retirement Board\xe2\x80\x99s\n                Financial Interchange Major Application\n\n\n\n                          Report No. 08-03\n                         September 26, 2008\n\n\n         This abstract summarizes the results of the subject audit. The\n         full report includes information protected from disclosure and\n                      Limited Distribution Audit Report\n         has been designated for limited distribution pursuant to\n            \xe2\x80\x9cNOT FOR PUBLIC DISTRIBUTION\xe2\x80\x9d\n         5 U.S.C. \xc2\xa7 552.\n\n\n\n\n      RAILROAD RETIREMENT BOARD\n\x0c                                            Report Abstract\n               Evaluation of Information Security for the Railroad Retirement Board\xe2\x80\x99s\n                               Financial Interchange Major Application\n                                       OIG Report No. 08-03\n                                     Dated September 26, 2008\n\nThis abstract summarizes the results of the Office of Inspector General\xe2\x80\x99s (OIG)\nevaluation of Information Security for the Railroad Retirement Board\xe2\x80\x99s (RRB) financial\ninterchange major application.\n\nThe Federal Information Security Management Act (FISMA) mandates that agencies\ndevelop, document and implement an agency wide information security program.\nFISMA establishes minimum information security requirements. These requirements\nare listed in the National Institute of Standards and Technology (NIST) Special\nPublication (SP) 800-53, \xe2\x80\x9cRecommended Security Controls for Federal Information\nSystems.\xe2\x80\x9d\n\nThe financial interchange is a collective term that describes a series of legally mandated\nperiodic fund transfers between the Social Security Administration, the Railroad\nRetirement Board, the Centers for Medicare and Medicaid Services and the Treasury.\nThe amounts transferred are the result of a complex statistical projection, and the\nBureau of Actuary is responsible for determining the amount to be transferred each\nyear. The Bureau of Information Services maintains the general support systems in\nwhich the financial interchange major application operates. In June 2008, the RRB\nreceived a net transfer for Fiscal Year 2007 of over $3.5 billion, representing 39% of\nRRB financing sources for that year.\n\nOur work shows that the Bureau of Actuary needs to strengthen application-level\ncontrols in the financial interchange major application system. Our evaluation of\napplicable NIST security requirements disclosed weaknesses in access controls,\ncontingency planning, systems development, systems documentation, and asset\ninventory.\n\nAccess Controls\n\nWe identified access and sharing permissions that did not restrict the financial\ninterchange files and folders in a manner consistent with the principle of least privilege.\nAdditionally, we identified individuals with high-level privileges and non-unique\nidentification and passwords. The overall information security program is weakened\nbecause the Bureau of Actuary has increased its risk to an unacceptable level by\nallowing employees more access than necessary to accomplish their job function, as\nwell as inadequate accountability for some individuals.\n\nContingency Planning\n\nWe noted that the financial interchange major application had never been tested off-site\nfor disaster recovery purposes. As a result, the Bureau of Actuary cannot ensure that\nthe financial interchange major application can be restored from backup tapes and be\nfully functional in case of a disaster.\n\n\n\n                                                 1\n\x0c                                            Report Abstract\n               Evaluation of Information Security for the Railroad Retirement Board\xe2\x80\x99s\n                               Financial Interchange Major Application\n                                       OIG Report No. 08-03\n                                     Dated September 26, 2008\n\nSystems Development\n\nWe observed that the Bureau of Actuary has not incorporated a formal systems\ndevelopment life cycle methodology when they make changes to the financial\ninterchange major application. The informal method of systems development used by\nthe Bureau of Actuary has resulted in undetected errors and inconsistencies in recent\nchanges to the application\xe2\x80\x99s edit code and Help file. Since edit codes provide input\nintegrity when data is entered into the application, errors and inconsistencies can result\nin incorrect calculations in the financial interchange transfer amount.\n\nSystems Documentation\n\nOur review also showed that the Bureau of Actuary needs to develop complete,\naccurate system documentation to support the financial interchange major application\nsystem. We found discrepant, incomplete or inaccurate systems information in various\ndocuments maintained by the agency. Discrepant and incomplete system\ndocumentation undermines the security and management control programs as a whole.\n\nAsset Inventory\n\nThe RRB\xe2\x80\x99s inventory records do not accurately identify the agency\xe2\x80\x99s existing information\ntechnology equipment. We noted a personal computer listed in the agency\xe2\x80\x99s fixed asset\ninventory which had been previously disposed of by the Bureau of Information Services\nseveral years prior to our review. A physical inventory performed by the Bureau of\nInformation Services between the disposal date and the date of our review did not\nidentify and correct the inaccurate data. We found that the Bureau of Information\nServices has draft procedures for the periodic inventory of equipment, but they do not\nprovide for subsequent actions when equipment can not be located. As a result, the\nRRB is unable to fully assess the security risk and potential data breach when\nequipment is not found.\n\nWe have made specific recommendations for corrective actions to strengthen these\napplication controls and address the weaknesses identified in our audit. The Bureau of\nActuary and the Bureau of Information Services have agreed to implement our\nrecommendations to improve the information security related to the financial\ninterchange major application.\n\n\n\n\n                                                 2\n\x0c'